api: Add stricter validation of input/output data

This change adds stricter validation of data that enters and leaves the
database. As a result, we clearly separate the database model from the
data model that the REST API exports.

1 files changed, 5 insertions, 4 deletions

diff --git a/opendc-web/opendc-web-api/opendc/api/portfolios.py b/opendc-web/opendc-web-api/opendc/api/portfolios.py
index b07e9da5..84ec466c 100644
--- a/opendc-web/opendc-web-api/opendc/api/portfolios.py
+++ b/opendc-web/opendc-web-api/opendc/api/portfolios.py
@@ -44,7 +44,7 @@ class Portfolio(Resource):
         portfolio.check_exists()
         portfolio.check_user_access(current_user['sub'], False)
 
-        data = portfolio.obj
+        data = PortfolioSchema().dump(portfolio.obj)
         return {'data': data}
 
     def put(self, portfolio_id):
@@ -63,7 +63,7 @@ class Portfolio(Resource):
         portfolio.set_property('targets.repeatsPerScenario', result['portfolio']['targets']['repeatsPerScenario'])
 
         portfolio.update()
-        data = portfolio.obj
+        data = PortfolioSchema().dump(portfolio.obj)
         return {'data': data}
 
     def delete(self, portfolio_id):
@@ -84,7 +84,8 @@ class Portfolio(Resource):
         project.update()
 
         old_object = portfolio.delete()
-        return {'data': old_object}
+        data = PortfolioSchema().dump(old_object)
+        return {'data': data}
 
     class PutSchema(Schema):
         """
@@ -125,7 +126,7 @@ class PortfolioScenarios(Resource):
 
         portfolio.obj['scenarioIds'].append(scenario.get_id())
         portfolio.update()
-        data = scenario.obj
+        data = ScenarioSchema().dump(scenario.obj)
         return {'data': data}
 
     class PostSchema(Schema):